Arnold Clark is informing customers that their personal data has been stolen after the company was targeted in a massive cyber attack just before Christmas.
The Glasgow-headquartered firm was subject to an attack on December 23 and forced to shut down systems across the UK on Christmas Eve.
Arnold Clark said that was done voluntarily as a “purely protective measure”, adding that it had been able to protect customer data, the company’s systems and the systems of third-party partners.
However, following an internal investigation, the car dealership is now emailing affected customers to inform them that personal data stored in the company’s network may have been stolen.
The personal information includes names, contact details, dates of birth, vehicle details, ID documents (such as passports and driver’s licences), national insurance number and bank account details.
A spokesperson for Arnold Clark said: “On the evening of December 23, 2022, Arnold Clark Automobiles was a victim of a cyber attack.
“Our external security network consultants alerted us to unusual activity on our network, and we immediately took steps to minimise the impact of the attack by removing all external connections to our network to protect our customer data, third-party partners and our systems.
“While we were initially advised that all our data was secure, unfortunately, in the course of our investigation, it has become clear that during this incident, the attackers were able to steal copies of some data that we hold.
“Due to the type of cyber attack that we have been subjected to, it is extremely difficult to accurately identify what has been stolen; however, our teams are working with our external advisors to understand the exact nature and extent of that data.”
The company says it has taken several steps to protect partners and customers following the cyber attack, including setting up a call centre with its partners Experian to help those affected.
Arnold Clark is also writing to affected customers, as well as those potentially affected, and is offering 24 months’ fraud/credit protection with Experian free of charge.
The spokesperson added: “During this incident we have been in constant communication with the regulatory authorities and have sought useful guidance from the police, and we will continue to do so to help other companies learn from our experience and be better prepared for possible situations such as this.
“As a result of this incident, we have taken the decision to rebuild our networks in a new segregated environment, which has meant that our operational systems are not yet fully functional, so we apologise for any inconvenience this may cause our customers.”